CVE & CISA-KEV Catalog

CVE-2026-2950

MEDIUM
6.5
CVSS v3
NVD

Description

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

How to fix

Remediation Available
node-lodashDebian
Fixed in:4.18.1+dfsg-1CVE-2026-2950
registry.redhat.io/rhdh/rhdhRocky
Fixed in:operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64RHSA-2026:24841
Fixed in:rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64RHSA-2026:24841
Fixed in:hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64RHSA-2026:24841
registry.redhat.io/rhdh/rhdhRed Hat / RHEL
Fixed in:operator-bundle@sha256:b04577fd53315437ef4580af92055fb5238649a5a11e68e264ea1ed70eae79db_amd64RHSA-2026:24841
Fixed in:rhel9-operator@sha256:c290c8d9d433286ac038022c229b359500b7451a3d3f97c3c50371b6198df029_amd64RHSA-2026:24841
Fixed in:hub-rhel9@sha256:b99622b2ec913bdf7ad25a7a9919fbf07a6a177548b3f486acf648c533ca4f22_amd64RHSA-2026:24841
libjs-lodashUbuntu
Fixed in:2.4.1+dfsg-3ubuntu0.1~esm1USN-8411-1
Fixed in:4.17.4+dfsg-1ubuntu0.1~esm1USN-8411-1
Fixed in:4.17.15+dfsg-2ubuntu0.1~esm1USN-8411-1
Fixed in:4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1USN-8411-1
Fixed in:4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1USN-8411-1
Fixed in:4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1USN-8411-1
node-lodashUbuntu
Fixed in:2.4.1+dfsg-3ubuntu0.1~esm1USN-8411-1
Fixed in:4.17.4+dfsg-1ubuntu0.1~esm1USN-8411-1
Fixed in:4.17.15+dfsg-2ubuntu0.1~esm1USN-8411-1
Fixed in:4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1USN-8411-1
Fixed in:4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1USN-8411-1
Fixed in:4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1USN-8411-1
node-lodash-packagesUbuntu
Fixed in:4.17.15+dfsg-2ubuntu0.1~esm1USN-8411-1
Fixed in:4.17.21+dfsg+~cs8.31.198.20210220-5ubuntu0.1~esm1USN-8411-1
Fixed in:4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.24.04.1~esm1USN-8411-1
Fixed in:4.17.21+dfsg+~cs8.31.198.20210220-9ubuntu0.25.10.1USN-8411-1

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityNone
IntegrityLow
AvailabilityLow

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Exploit Intelligence

0.32%probability of exploitation in 30 days
24thpercentile

Low risk: more likely to be exploited than 24% of all known CVEs.

References

Vendor Advisory1
Embed a live status badge for CVE-2026-2950
CVE-2026-2950 severity badge

Markdown

[![CVE-2026-2950](https://tridentstack.com/cve/badge/CVE-2026-2950.svg)](https://tridentstack.com/cve/CVE-2026-2950)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-2950"><img src="https://tridentstack.com/cve/badge/CVE-2026-2950.svg" alt="CVE-2026-2950"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-04-07.